6.3.1 User Names and Passwords

MySQL stores accounts in the user table of the
mysql system database. An account is defined in
terms of a user name and the client host or hosts from which the
user can connect to the server. For information about account
representation in the user table, see
Section 6.2.3, “Grant Tables”.

The account may also have a password. MySQL supports
authentication plugins, so it is possible that an account
authenticates using some external authentication method. See
Section 6.3.10, “Pluggable Authentication”.

There are several distinctions between the way user names and
passwords are used by MySQL and your operating system:

User names, as used by MySQL for authentication purposes, have
nothing to do with user names (login names) as used by Windows
or Unix. On Unix, most MySQL clients by default try to log in
using the current Unix user name as the MySQL user name, but
that is for convenience only. The default can be overridden
easily, because client programs permit any user name to be
specified with a -u or
--user option. This means that anyone can
attempt to connect to the server using any user name, so you
cannot make a database secure in any way unless all MySQL
accounts have passwords. Anyone who specifies a user name for
an account that has no password is able to connect
successfully to the server.

MySQL user names can be up to 32 characters long. Operating
system user names may be of a different maximum length. For
example, Unix user names typically are limited to eight
characters.

Warning

The limit on MySQL user name length is hardcoded in MySQL
servers and clients, and trying to circumvent it by
modifying the definitions of the tables in the
mysql database does not
work.

You should never alter the structure of tables in the
mysql database in any manner whatsoever
except by means of the procedure that is described in
Section 4.4.5, “mysql_upgrade — Check and Upgrade MySQL Tables”. Attempting to redefine
MySQL's system tables in any other fashion results in
undefined (and unsupported!) behavior. The server is free to
ignore rows that become malformed as a result of such
modifications.

To authenticate client connections for accounts that use MySQL
native authentication (implemented by the
mysql_native_password authentication
plugin), the server uses passwords stored in the
user table. These passwords are distinct
from passwords for logging in to your operating system. There
is no necessary connection between the “external”
password you use to log in to a Windows or Unix machine and
the password you use to access the MySQL server on that
machine.

If the server authenticates a client using some other plugin,
the authentication method that the plugin implements may or
may not use a password stored in the user
table. In this case, it is possible that an external password
is also used to authenticate to the MySQL server.

Passwords stored in the user table are
encrypted using plugin-specific algorithms.

If the user name and password contain only ASCII characters,
it is possible to connect to the server regardless of
character set settings. To connect when the user name or
password contain non-ASCII characters, the client should call
the mysql_options() C API
function with the MYSQL_SET_CHARSET_NAME
option and appropriate character set name as arguments. This
causes authentication to take place using the specified
character set. Otherwise, authentication will fail unless the
server default character set is the same as the encoding in
the authentication defaults.

Standard MySQL client programs support a
--default-character-set option that causes
mysql_options() to be called
as just described. In addition, character set autodetection is
supported as described in
Section 10.4, “Connection Character Sets and Collations”. For programs that use a
connector that is not based on the C API, the connector may
provide an equivalent to
mysql_options() that can be
used instead. Check the connector documentation.

The preceding notes do not apply for ucs2,
utf16, and utf32, which
are not permitted as client character sets.